Jesse’s Story of the Day

WSF closes security flaw after customer’s discovery


A Ferry rider discovered some issues with Washington State Ferries Wave2Go ticketing system. Richard Tetu forgot his password to his online account and went through the process of retrieving it.

“All I have to do is enter my email address and my user name which is…. like many people, very similar. Then I got an email with my password in the clear, in the wide open,” said Tetu.

This means anyone who has your email address can hack into your account, which could be used to buy tickets on your credit card account. Tetu tried to change his password, but discovered he couldn’t reset it.   Customers must call WSF, tell them the new password and have it changed.  That means customer service representatives will know the account name and password of those who call in.  When Richard emailed WSF his concerns, the agency sent this response,

“The Wave2Go ticketing platform is an older system with some restrictions, and changing passwords is one of them. It isn’t possible to change it. If you have a situation that requires a new password, the only option is to create a new account.”

“Well what happens to the old account? I’ve tried putting a fake number, they won’t let you. So you have to put a real number, it’s there for good and you can’t delete it,” said Tetu.  “I was just concerned about what seems to be a small flaw, maybe a big flaw, in the security of their website.”

After Tetu’s discovery, the department says the staff will no longer change user’s passwords for them and instead cancel the old account permanently.

Now, you don’t have to have a Wave2Go account to buy ferry tickets.  So if you’re worried about storing your information – – just buy your tickets as you go and skip creating an account.

Share on Facebook
Share on Twitter